Description
The SAP security note addresses several vulnerabilities identified in SAP Financial Consolidation. The vulnerability details along with their CVE relevant information can be found below.
1. XPath Injection
The SAP Financial Consolidation legacy web enables malicious users to use crafted input to break out of the data context in which their input appears and to interfere with the structure of the surrounding query.
- CVE-2019-0370
- CVSS Score: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Some well Known impact of Xpath injection vulnerability include
- exploitation of an XPath injection flaw in order to read sensitive application data or to interfere with application logic.
2. Cross Site Scripting
The SAP Financial Consolidation legacy web client does not sufficiently encode user controlled inputs, resulting in a reflected cross-site scripting (XSS) vulnerability.
- CVE-2019-0369
- CVSS Score: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Some well-known impacts of XSS vulnerability include
- non-permanently deface or modify displayed content from a web site
- steal authentication information of the user, such as data relating to their current session
- impersonate the user and access all information with the same rights as the target user
Available fix and Supported packages
- FINANCE | 1000 | 1000
- FINANCE | 1010 | 1010
- SBOP FINANCIAL CONS. 10.0 | SP019 | 000010
- SBOP FINANCIAL CONS. 10.0 | SP020 | 000000
- SBOP FINANCIAL CONS. 10.1 | SP008 | 000002
- SBOP FINANCIAL CONS. 10.1 | SP009 | 000000
Affected component
- EPM-BFC-TCL
Technical Components
CVSS
Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2806403